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You can read the original story_ here , on SearchSecurity.in. 

BackTrack 5, codenamed "Revolution", the much awaited penetration testing 
framework, was released in May 2011. It is a major development over BackTrack4 R2. 
BackTrack 5 is said to be built from scratch, and has seen major improvements as well as 
bug fixes over previous versions. 


BackTrack is named after a search algorithm 
called "backtracking". BackTrack 5 tools range 
from password crackers to full-fledged 
penetration testing tools and port scanners. 
BackTrack has 12 categories of tools, as shown in 
Figure 1 of this tutorial. 

Penetration testers usually perform their test 
attacks in five phases: 

1. Information gathering 

2. Scanning and vulnerability assessment 

3. Gaining access to the target 

4. Maintaining access with the target 

5. Clearing tracks 

In this tutorial, we will look at the information 

gathering and vulnerability assessment tools in 
BackTrack 5. 

Information gathering 


Information Gathering 
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^ Vulnerability Assessment 
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0 Exploitation Tools 
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Figure 1: Categories of tools in 
BackTrack 5 


Information gathering is the first and most important phase in penetration testing. In 
this phase, the attacker gains information about aspects such as the target network, 
open ports, live hosts and services running on each port. This creates an organizational 
profile of the target, along with the systems and networks in use. Figure 3 of this 
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Command: 


Hosts ' 

Services 


Nmap Output 




Filter Hosts 


Starting Nmap 5.59BETA1 [ http://nfnap.org ! 

2011-09-15 17:15 EOT 
NSE: Loaded 63 scripts for scanning. 

MSE: Script Pre-scanning. 

Initiating ARP Ping Scan at 17:15 
Scanning 192.163,13,130 [1 port] 

Completed ARP Ping Scan at 17:15, 0.21s elapsed 
total hosts) 

Initiating Parallel DNS resolution of 1 host, at 17:15 
Completed Parallel DNS resolution of 1 host, at 
17:15, 13.00s elapsed 
Initiating SYN Stealth Scan at 17:15 
Scanning 192.163.13.130 [1000 ports] 

Discovered open port 139/tcp on 192.163.13.130 
Discovered open port 135/tcp on 192.163.13.130 
Discovered open port 80/tcp on 192.163.13.130 
Discovered open port 445/tcp on 192.163.13.130 
Discovered open port 443/tcp on 192.163.13.130 
Discovered open port 21/tcp on 192,163.13.130 


Figure 2: Zenmap U! in BackTrack 5 

tutorial is a screenshot of Zenmap, the BackTrack information gathering and network 
analysis tool. The intense scan mode in Zenmap provides target information such as 
services running on each port, the version, the target operating system, network hop 
distance, workgroups and user accounts. This information is especially useful for white 
box testing. 

Other BackTrack 5 information gathering tools of interest are CMS identification and 
IDS-IPS identification for web application analysis. CMS identification gives information 
about the underlying CMS, which can be used to do a vulnerability research on the CMS 
and gather all the available exploits to test the target system. The joomscan tool (for the 
Joomla CMS) is covered later in this tutorial. 
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Maltego BackTrack Edition 3.0.4 



Figure 3: Maltego Ul in BackTrack 5 

Another interesting and powerful tool is Maltego, generally used for SMTP analysis. 
Figure 4 of this tutorial shows Maltego in action. 

The Palette in Maltego shows the DNS name, domain, location, URL, email, and other 
details about the website. Maltego uses various transformations on these entities to 
give the pen tester necessary details about the target. Views such as mining view, edge 
weighted view, etc, provide a graphical representation of the data obtained about a 
particular target. 

Vulnerability assessment 

The second phase in pen testing is vulnerability assessment. After gaining some initial 
information and an organizational profile of the target through conclusive foot-printing, 
we will assess the weak spots or vulnerabilities in the system. There are a number of 
vulnerability databases available online for ready use, but we will focus on what 
BackTrack 5 has to offer in this tutorial. 
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fl /n s/ x root@bt: /pentest/web/scanners/joomscan 

c | File Edit View Terminal Help 

(vulnerability Entries: 466 
■Last update: August 18, 2009 

I Use "update” option to update the database-- 

I Use "check" option to check the scanner update _ 

I Use "download" option to download the scanner latest version package 
I Use svn co to update the scanner 

Isvn co https://jooinscan.svn.sourceforge.net/svnroot/joomscan joomscan 


Target: http://leadingminds.co.in 

Server: Apache 

X- Powere£r8y: PrtP/5.1?i6 


## Checking if the target has deployed an Anti-Scanner measure 
[!] Scanning Passed . OK 


## Detecting Joomla! based Firewall ... 


Figure 4: Joomscan in action 


Web application scanners are used to assess website vulnerabilities. Figure 5 of this 
tutorial shows joomscan in action. Joomscan is meant for Joomla-based websites and 
reports vulnerabilities pre-stored in the repository. 

Joomscan can be run with the following command: 

./joomscan.pi -u <string> -x proxy:port 

Here <string> is the target Joomla website. Joomscan has options for version detection, 
server check, firewall activity, etc. As can be seen in Figure 5 of this BackTrack 5 tutorial, 
the target Joomla website is running on an Apache server using PHP version 5.5.16. 

OpenVAS (Open Vulnerability Assessment System) on BackTrack 5: Opening 
Applications -> Backtrack -> Vulnerability scanners -> OpenVAS will give you the list of 
options shown in Figure 6 of this tutorial. 
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^ Applications Places System f>T] 

Accessories ► 

’b BackTrack ► Information Gathering 

► 

^ OpenVAS Adduser 

tU OpenVAS 

► 

^ Openvas check setup 

^ mantra 


^ OpenVAS Mkcert 

calation 

► j 

^ OpenVAS NVT Sync 

Access 

► 

^ Start Greenbone Security Assistant 

jineering 

► 

Start Greenbone Security Desktop 


► 

^ Start Openvas Administrator 

ng 

► - 

^ start Openvas Cli 


► 

^ Start OpenVAS Manager 

>ols 

► * 

^ Start OpenVAS Scanner 


► 

^ Stop Greenbone Security Assistant 

•us 

► 

^ Stop Openvas Administrator 
^ Stop Openvas Cli 
^ Stop OpenVAS Manager 
^ Stop OpenVAS Scanner 




Figure 5: OpenVAS options in BackTrack 5 


OpenVAS is a powerful tool for performing vulnerability assessments on a target. Before 
doing the assessment, it is advisable to set up a certificate using the OpenVAS MkCert 
option. After that, we will add a new user from the menu in this BackTrack 5 tutorial. 

The user can be customized by applying rules, or assigned an empty set by pressing 
Ctrl+D. Once a new user has been added with login and other credentials, we can go 
ahead with the assessment part of this tutorial. 
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Jser rules 


openvassd has a rules system which allows you to restrict the host 
s the right to test. " 

For instance, you may want him to be able to scan his owp h ost onl 

Please see the openvas-adduser(8) man page for the rules syntax. 

Enter the rules for this user, and hit ctrl-D once you are done: 
(the user can have an empty rules set) 


Login : 

Password a 

Rules : 


Is that ok? (y/n) [y] y 
user added. 


root 

* * * *** * * * * * 


\, I 


■ ^ 


Figure 6: Adding a user with OpenVAS 

OpenVAS works on the client/server model in the assessment process. You should 
regularly update the arsenal to perform efficient tests. 

OpenVAS vs Nessus Scanner 

Nessus Scanner is another vulnerability assessment tool for carrying out automated 
assessments. Let's take a look at the difference between the two in the next step of this 
tutorial. 

Nessus has two versions, free and paid, while OpenVAS is completely free. Recent 
observations have shown that the plug-in feed from these two scanners is considerably 
different, and depending on only one tool is not recommended, as automated scanners 
can throw up lots of false positives. 

Clubbing manual scanners with other tools, alongside automated scanners, is 
recommended for doing a comprehensive assessment of the target. BackTrack 5 also 
offers other tools under this category including CISCO tools, which are meant for CISCO- 
based networking hardware. Fuzzers are also available, categorized as network fuzzers 
and VOIP fuzzers. 
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It's evident from the above tutorial that Backtrack 5 has a lot in offer in terms of 
information gathering and vulnerability assessment. In this tutorial, I have made an 
effort to show the one or two tools which I felt would be most useful to readers. It's 
best to try out all tools so that you have first-hand experience of BackTrack 5, and the 
power it brings to a pen tester's arsenal. In subsequent tutorials, we shall see how 
Backtrack 5 facilitates exploitation of a target. 

Step this way, to read the next installment of our BackTrack 5 tutorial'• which deals 

with exploits of remote systems. 



About the author: Karthik R is a member of the NULL community. 
Karthik completed his training for EC-council CEH in December 2010, 
and is at present pursuing his final year of B. Tech, in Information 
Technology, from National Institute of Technology, Surathkal. Karthik 
can be contacted on rkarthik.poojary@gmail.com. He blogs 
at httg^/www^egsilonjambda. wordpress.com 


You can subscribe to our twitter feed at @SearchSeciN. You can read the original storY 
here , on SearchSecurity.in. 
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